42 CFR Part 2 UPDATE: What Providers Need to Know Now

Single TPO Consent. Patients can now sign one durable consent form that covers all future uses and disclosures of their SUD treatment records for Treatment, Payment, and Healthcare Operations (TPO). Previously, you needed separate consent for each disclosure to each provider. That consent stays in effect until the client revokes it.

HIPAA-Aligned Redisclosure. Once SUD records are shared under a valid TPO consent, downstream HIPAA-covered entities can redisclose those records consistent with HIPAA, with one critical exception: SUD records still cannot be used in civil, criminal, administrative, or legislative proceedings against the client without their separate written consent or a court order.

Updated Consent Forms Are Required. Even if you choose to stick with individual consent forms (which is still permitted), your forms must be updated to include revocation instructions, which were not previously required. If you adopt the single TPO consent, the form must include specific federally required language.

Notice of Privacy Practices (NPP) Must Be Updated. All covered entities that create, receive, or maintain SUD records must update their NPP to include Part 2-specific language, explaining the heightened protections for SUD records, how they differ from general HIPAA protections, and the restrictions on use in legal proceedings.

Accompanying Notice Required with Every Disclosure. When you share SUD records with another provider under consent, you must now include a notice that the records are protected by federal law, plus either a copy of the consent form or a clear description of its scope. This is creating real headaches for providers whose EHR systems don't easily support attaching consent documentation to disclosures.

SUD Counseling Notes. The rule creates a new category — SUD counseling notes — analogous to HIPAA psychotherapy notes. These require a separate, dedicated consent form for any use or disclosure and cannot be combined with consent for other purposes.

Real Enforcement Is Here. Part 2 violations now carry civil monetary penalties aligned with the HITECH penalty structure — up to $2.1 million per violation category. OCR has formal enforcement authority and has signaled it will investigate complaints with the same rigor it applies to HIPAA.

Breach Notification Now Applies. The HIPAA Breach Notification Rule now extends to Part 2 records. If SUD records are improperly disclosed, you have the same breach notification obligations you'd have for any HIPAA breach.

Staff training is non-negotiable. Your team needs to understand what the single TPO consent means, how to explain it to clients, and how to handle situations where clients may be in early recovery, withdrawing, or otherwise unable to fully process consent language. OCR views lack of training as potential evidence of "willful neglect."

You have a choice on consent approach. You can adopt the new single TPO consent (which simplifies administration but broadens downstream data flow), or you can continue using individual consent forms for each disclosure (more protective of client privacy, but more administrative burden). Many compliance experts suggest offering clients both options and documenting their choice.

Downstream risk is real. Once you share records under a single TPO consent, you have limited control over how downstream entities handle that data. If a hospital, payer, or health system that receives your client's SUD records mishandles a subpoena or treats the data as routine medical records, your consent form and processes may be scrutinized in any resulting enforcement action.

Your EHR may not be ready. Many systems don't have built-in workflows for attaching consent forms to disclosures, separating SUD counseling notes, or tracking redisclosure rights. This is a known industry-wide gap.

Consent capture and management to be built into onboarding. Commonly Well currently captures participant consent digitally at the point of enrollment with timestamping. Next month, our updated version will include electronic signature, version control, and the ability to serve the updated Part 2 TPO consent form as part of the standard participant activation workflow. Every consent event will be logged and auditable.

Privacy notice delivery, documented. When our system is updated next month, it will send the consent form and accompanying federal notice automatically. Delivery and acknowledgment will be tracked in the participant record.

Consent status as a platform-level data point. Commonly Well will track consent status (active, revoked, expired, not yet obtained) as a first-class attribute of every participant record. Workflows, disclosures, and data sharing will be gated by consent status — meaning the platform will enforce compliance rather than relying on staff memory or other outside capture.

SUD counseling note separation. Our data architecture will maintain separation between general SUD treatment records and SUD counseling notes, supporting the distinct consent requirements for each.

Audit trail for every disclosure. Every data access, report generation, and record share through Commonly Well’s update (coming next month) will be logged with who, what, when, and under what consent authority, creating the accounting of disclosures that Part 2 now requires.

Designed for the organizations Part 2 hits hardest. The providers most affected by these changes — smaller treatment centers, recovery residences, peer support organizations, and court-supervised programs — are exactly the organizations Commonly Well serves. We are building this update for your operational reality, not for enterprise hospitals or treatment systems with dedicated compliance departments.

Recovery Capital Index implementation and analysis

Community health surveys and population assessments

Program evaluation and outcomes measurement

Data dashboards for quality, performance, and equity monitoring